Microsoft exploit let users edit Bing search results

31 Mar 2023

Image: © monticellllo/Stock.adobe.com

Wiz Research claims the exploit gave the ability to modify search results and access the data of Bing users.

A vulnerability was discovered in Microsoft Azure that compromised “multiple applications” and gave users access to a Bing management portal.

This exploit meant that hackers would be able to modify search results and launch cyberattacks on Bing users to access personal data.

The vulnerability was discovered earlier this year by researchers at the cloud security start-up Wiz, which dubbed the exploit “BingBang”.

The researchers said Microsoft’s Azure Active Directory had a misconfiguration issue, which “exposed one of its most critical apps to any individual on the internet”.

In a blog post, the team showed that they were able to gain access to a “Bing Trivia” app, which is essentially a management portal that allowed the researchers to alter search results.

The team was able to alter a search result for best soundtracks, replacing the top result of Dune (2021) with the 1995 film Hackers.

“This proved that we could control Bing’s search results, and as we would later confirm, this control extended to Bing’s homepage content as well,” the Wiz team said.

The start-up’s CTO Ami Luttwak told The Wall Street Journal that an attacker could use this exploit to influence search results, compromise the data of millions of people and launch misinformation campaigns.

Wiz cloud security researcher Hillai Ben-Sasson said attackers could use the exploit to gain access to data on Outlook emails, Teams messages, SharePoint documents, OneDrive files and more from “any Bing user”.

The start-up reported this exploit to Microsoft’s Security Response Centre on 31 January and was informed that day by Microsoft that it had fixed the vulnerability.

Based on a timeline presented by Wiz, Microsoft worked with Wiz to fix other vulnerable applications from this point on and stated that all the reported applications were fixed on 20 March.

For its contribution in detecting this exploit, Wiz Research was granted a $40,000 bug bounty from Microsoft.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com